- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is the rex capture not working?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I am trying to capture line starting with a number, I have created a regex and tested it in regex101 site and it is working as expected but when I used the same in Splunk using rex it is failing to capture and the result is blank.
https://regex101.com/r/OLUh4A/1
Text:
Cluster GUID: xxxxxxxxxxxxxxx
Sender OneFS Version: Isilon OneFS v8.0.0.6 B_MR_8_0_0_6_117(RELEASE)
Sender Serial Number: xxxxxxx
Node 5 Eventgroups
------------------------------------------------------------------------
OneFS Version: Isilon OneFS v8.0.0.6 B_MR_8_0_0_6_117(RELEASE)
Serial Number: xxxxxxxx
------------------------------------------------------------------------
ID Started Sev Message
------------------------------------------------------------------------
136486 09/02 03:33 I SmartQuotas threshold violation on quota exceeded,
domain directory /xx/xxxxxxx/NAM/xxxxx/xxxxxx/Cisco
Attachment Manifest:
Attached:
events-000e1ea5fexxxxxx-xxxxxxxxx.xml
quotaexceeded.35738
- events-000e1eaxxxxxxxxdccc983-xxxxxx.xml -
quotaexceeded.35738
Regex used : [\s\S]*(?<ID>^\d{1,})\s(?<time>\d{2}\/\d{2}\s\d{2}:\d{2})\s{1,}(?<sev>\w)\s{1,}(?<message>[\s\S]*)Attachment\sManifest:[\s\S]*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi nareshkumar1985,
did you already tried to add (?ms) at the beginning of your regex?
bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi nareshkumar1985,
did you already tried to add (?ms) at the beginning of your regex?
bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Giuseppe,
Thanks after adding it working, could you please let me know the purpose of adding (?ms) at the beginning of the regex.
Regards,
Naresh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in regex101 there are (on the right of the regex box) the regex options (/gm) that you need to insert in your regex in Splunk.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, Giuseppe
Devesh Logendran, Splunk, and the Singapore Cyber Conquest
There's No Place Like Chrome and the Splunk Platform
Customer Experience | Join the Customer Advisory Board!
